Delete file in privileged folder like system32

  • 24 September 2023
  • 2 replies

Userlevel 1

I’m trying to remediate

We use a 3rd party antivirus and not Microsoft Defender. Microsoft recommends deleting the file MpSigStub.exe. It’s located in C:\Windows\System32. 


I tried to create the following but i think it’s not working because system32 needs elevated privileges. Any ideas?


Evaluation Code:


Exit 1


Remediation code:


Remove-Item -path "C:\Windows\System32\MpSigStub.exe”

2 replies

Userlevel 3

Hi @fina27 !

Automox runs as SYSTEM so your issue is unlikely related to elevated privileges.

Since you are attempting to remove a file from the protected Windows\System32directory, you’ll need to include -Force -Recurseto your Remove-Itemcmdlet.


Remove-Item -Path "C:\Windows\System32\MpSigStub.exe” -Force -Recurse


Your post inspired me though, and I decided to put together a formal Catalog Worklet that you can use to mitigate the vulnerability on devices that use a third-party AV instead of Defender.  You can check it out here:


Evaluation code will check to see if Windows Defender is disabled and that the MpSigStub.exe file is present.  If both conditions are met, the device will be flagged for remediation.


The remediation code will then forcefully remove the MpSigStub.exe file from the device.

Output of the worklet run will be appended to your Activity Log:


This worklet is designed just for devices that aren’t using Defender as their primary AV.  If the devices use Defender, the MpSigStub.exe file will patch automatically during Defender’s definition updates so there’s no action needed for those devices.


I hope this helps!


Have a great evening!

Userlevel 1

Wow!..  thank you very much! Perfect reason of why we have Automox